DirectAdmin 1.50.1 has been released

Letsencrypt options are only available in enhanced skin. Will DA update power_user skin?
 
I have upgraded to 1.50.1 . Can you confirm where letsencrypt_post.sh should go? I'm thinking of using it to fix the permissions on the key and cert files after they are renewed, since I have symbolic links pointing to those.
 
Thanks, that seems to be working. It's not in the README yet!

Mail example:

Code:
#!/bin/bash

if [ -z $username ]; then echo "Missing username."; exit 1; fi
if [ -z $domain ]; then echo "Missing domain."; exit 2; fi

if [ -z $exit_code ] || [ $exit_code -ne 0 ]; then exit 3; fi
if [ $action != 'request' ] && [ $action != 'renew' ]; then exit 4; fi

FDIR=/usr/local/directadmin/data/users/$username/domains

chown :mail $FDIR/${domain}.cacert $FDIR/${domain}.cert $FDIR/${domain}.key
chmod g+r $FDIR/${domain}.cacert $FDIR/${domain}.cert $FDIR/${domain}.key
 
Can anyone confirm or deny this?

Directadmin ControlPanel 1.50.1 denial of service Vulnerability
 
I've tested a very long user/pass and didn't duplicate the issue so don't see any evidence that's it's valid.
I just get this in the debug output:
Code:
Username AAAAAAAAAAAAAA....AAAAAAAAA is 10890 characters long, but the directadmin.conf has this setting 'max_username_length=10'
so it had no effect.
I also hammered it many times, but didn't notice any of the child processes hanging or being coming unresponsive.

If anyone notices otherwise, please let us know, preferably via email or ticket :)
For the security of everyone's server, it's typically best to notify the coder of a security issue first :)

John
 
I've tested a very long user/pass and didn't duplicate the issue so don't see any evidence that's it's valid.
I just get this in the debug output:
Code:
Username AAAAAAAAAAAAAA....AAAAAAAAA is 10890 characters long, but the directadmin.conf has this setting 'max_username_length=10'
so it had no effect.
I also hammered it many times, but didn't notice any of the child processes hanging or being coming unresponsive.

If anyone notices otherwise, please let us know, preferably via email or ticket :)
For the security of everyone's server, it's typically best to notify the coder of a security issue first :)

John

Hello John you also tried this very long chars (PHP) with the PASSWORD only?
While your text ( Debug) is about Username lenght. or sorry if i understand your text wrong here.

The issue there is waiting for verification. ( but the Author has done some issues before where he was right )

Is there a check for only the max password lenght? (with little/low hardware resources of Server as a DA user/resseller/admin that only has a "tiny" account somewhere)
 
Last edited:
Yes, I've also tested a 10,000 character password only, with "admin" and with a non-existent User, to no effect.
DA just correctly returns a wrong password message.

I've tried various combinations including with the login_keys=0 turned off, on, but no luck.
I've added a hard length check anyway (1024), but not sure that it was required.

John
 
John,

I've been looking at the upcoming release changes and there are a lot of fairly significant updates (which is awesome).

I really like small incremental updates.

A suggestion if possible would be to look at consistent releases monthly/bi-monthly/quarterly (whichever works best) with the features that are ready, rather than waiting for a large bundle.

Thanks,

Kevin
 
Totally agree there. The plan was to get DA released with the new skin, but that's taking longer than expected, hence the delay.
We may end up just releasing the next DA now, before the skin is ready, even though it has a huge number of internal changes for the new skin, that you won't really notice :)

John
 
The guy posted a new alert, now because of XSS.

URL REMOVED

Comments?

This is the second time you post that kind of links in this thread. Did you not read Johns first reply?: http://forum.directadmin.com/showthread.php?t=53336&p=278133#post278133

For the security of everyone's server, it's typically best to notify the coder of a security issue first

Please stop posting those links, instead send a ticket to https://tickets.directadmin.com
 
I did read his response.

"If anyone notices otherwise, please let us know, preferably via email or ticket". the bit about "best to notify the coder", I think, was meant in response to the guy publically posting this before contacting DA about the issue, as is customary. Since it's already out there it concerns everybody running DA and what better place to post it in here?

If I had found an issue myself I'd notify DA first.
 
Back
Top